b"Pension Benefit Guaranty Corporation\n\n      Office of Inspector General\n         Evaluation Report\n\n\n\n\n     Penetration Testing 2001 -\n             An Update\n\n\n\n\n            August 28, 2001\n                                    2001-18/23148-2\n\x0c                                         Penetration Testing 2001 \xe2\x80\x93 An Update\n\n                                          Evaluation Report 2001-18/23148-2\n\n\n                                                        TABLE OF CONTENTS\n\n                                                                                                                                     Page\n\n\nEXECUTIVE SUMMARY ...................................................................................................                 iii \n\n\nOVERVIEW.......................................................................................................................       1         \n\n\nSCOPE ............................................................................................................................    1         \n\n\nMETHODOLOGY .............................................................................................................             2 \n\n\n     Phase I: External Network Penetration ......................................................................                     2\n\n\n     Phase II: Internal Network Penetration .......................................................................                   3\n\n\nWORK STANDARDS AND LIMITATIONS............................................................................                            3\n\n\nPENETRATION TESTING RESULTS ..................................................................................                        4\n\n\n     1. Internet Security ..................................................................................................          4\n\n\n     2. Dial-In Security ...................................................................................................          4\n\n\n     3. Network Security ..................................................................................................           4\n\n\n     4. Physical Security ..................................................................................................          5\n\n\n     5. Social Engineering ................................................................................................           6\n\n\nASSESSMENT OF STRENGTHS .......................................................................................                       6\n\n\nASSESSMENT OF WEAKNESSES ....................................................................................                         7\n\n\nRECOMMENDATIONS .....................................................................................................                 7 \n\n\n\n\nAGENCY COMMENTS ......................................................................................................                TAB 1 \n\n\n\n\n\n                                                            Abbreviations\n\n\nLAN                                Local Area Network         \n\nNDS                                Novell Directory Services\n\nNovell                             Novell Network Operating System\n\nNT                                 Microsoft Windows NT Operating System\n\nOIG                                Office of Inspector General     \n\nPBGC                               Pension Benefit Guaranty Corporation\nUNIX                               UNIX Operating System\n\n\n\n\n                                                                     -i-\n\x0c                              Penetration Testing 2001 \xe2\x80\x93 An Update\n                              Evaluation Report 2001-18/23148-2\n\n                                       EXECUTIVE SUMMARY\n\n         In January 2001, the Office of Inspector General (OIG) conducted a penetration test of\nthe Pension Benefit Guaranty Corporation\xe2\x80\x99s (PBGC) network security. This was follow-up testing\nof computer security we conducted in 1999. In October 1999, the OIG issued a report of the\nresults of penetration testing activities on components of PBGC\xe2\x80\x99s information technology. We\nfound significant computer security vulnerabilities, and notified PBGC we would retest the\nidentified weaknesses.\n\n         The OIG engaged the PricewaterhouseCoopers Technology Security group (hereafter, the\n\xe2\x80\x9cpenetration team\xe2\x80\x9d) to focus on gaining access to PBGC systems and resources and escalating\nprivileges on those systems. Throughout the testing, our penetration team attempted to gain the\nhighest level of access possible (administrator) on PBGC systems without performing malicious\nactions or interrupting existing PBGC services.\n\n        Our penetration testing found that PBGC significantly improved it security over network\nresources to provide protection from malicious external and insider attacks. Our team did find\nsome areas in which PBGC should improve its security that are similar to our 1999 findings.\n\n9\t We found that not all PBGC accounts have strong passwords. The team was able to obtain\n   user-level access on PBGC\xe2\x80\x99s main Windows NT domain and on PBGC Novell using accounts\n   with either no password or with the password set to the account name. The team was also\n   able to login with administrator-level privileges to a contractor-operated Novell tree within the\n   PBGC network using an account without a password. However, the team could not exploit the\n   access to this tree to gain entry to the main PBGC Novell Directory Service.\n\n9\t We also found that PBGC employees are allowing unauthorized personnel access to PBGC\n   office areas.\n\n                                       Recommendations\n\nWe recommend that PBGC develop a plan of action to prioritize and address the following\nstrategic recommendations:\n\n           Assign strong passwords to user level accounts with null passwords or passwords set\n           to the account name in the Windows NT and Novell environment. (IRMD-125)\n\n           Assign strong passwords to administrator level accounts with null passwords on the\n           Contractor operated Novell Directory Service tree. (IRMD-126)\n\n           Develop and publicize guidance for employees to monitor and report unauthorized\n           personnel in PBGC office areas. (IRMD-127)\n\n\n        We provided PBGC the opportunity to comment on this report. Those comments were\ngenerally favorable, and are attached at TAB 1.\n\n\n\n\n                                                -ii-\n\x0c                             Penetration Testing 2001 \xe2\x80\x93 An Update\n\n                              Evaluation Report 2001-18/23148-2\n\nOVERVIEW\n\n       In October 1999, the OIG issued a report of the results of penetration testing activities on\ncomponents of PBGC\xe2\x80\x99s information technology systems (see Penetration Testing 1999, OIG Report\nNo. 2000-3/23137-3). We found significant computer security vulnerabilities, including\nunauthorized access to PBGC mission-critical systems from remote locations and inside PBGC.\nFor example, during our testing, we obtained the highest security privileges and were able to:\n    \xe2\x80\xa2   Create, delete, and modify data, including financial and plan data;\n\n    \xe2\x80\xa2   Access, read, and modify information on plan participants; and\n\n    \xe2\x80\xa2   Deny service on critical PBGC network systems.\n\nWe were able to achieve this level of access without being detected or reported. In that report, we\nnotified PBGC we would retest the identified weaknesses.\n\n         In January 2001, the Office of Inspector General (OIG) conducted a follow-up penetration\ntest of the Pension Benefit Guaranty Corporation\xe2\x80\x99s (PBGC) network security. The OIG engaged\nthe PricewaterhouseCoopers Technology Security group (hereafter, the \xe2\x80\x9cpenetration team\xe2\x80\x9d) to\nfocus on gaining access to PBGC systems and resources. Throughout the testing, our penetration\nteam attempted to gain the highest level of access possible (administrator) on PBGC systems\nwithout performing malicious actions or interrupting PBGC services.\n\n        The penetration team performed the following activities:\n\n    \xe2\x99\xa6\t Internal and external penetration tests, including limited social engineering and physical\n       security penetration attempts on PBGC information resources.\n\n    \xe2\x99\xa6\t Tests of the effectiveness of the corrective actions taken by PBGC in response to the\n       findings of the testing performed by the penetration team in 1999.\n\n    \xe2\x99\xa6\t Identification of new vulnerabilities within the PBGC information technology\n       environment.\n\n       This testing continues the OIG\xe2\x80\x99s reviews over the past five years that focus on controls\nand security issues protecting PBGC information technology.\n\n\nSCOPE\n\n        The scope of the penetration testing included:\n\n    \xe2\x99\xa6\t Attempting internal and external penetration of PBGC systems, including the PBGC\n       firewall, web server, and router from the Internet, to determine whether infrastructure\n       and data processing devices are at risk from unauthorized external intrusion;\n\n    \xe2\x99\xa6\t Attempting internal and external penetration through telephone modems and dial-in\n       remote access systems located within PBGC to determine if the network was at risk of\n       unauthorized external intrusion though telephone access; and\n\n\n\n\n                                                -1-\n\n\x0c    \xe2\x99\xa6\t Attempting internal penetration as an untrusted insider with physical access to the\n       network infrastructure, and through \xe2\x80\x9csocial engineering,\xe2\x80\x9d to determine if PBGC systems\n       were vulnerable to misuse by malicious insiders.\n\n\n        The penetration team used PricewaterhouseCoopers\xe2\x80\x99 proprietary methodologies and\ncommon hacker software tools to identify network vulnerabilities. PBGC information systems\nsecurity practices were compared against controls observed in industry to identify weaknesses\nand develop recommendations for improvements.\n\n        The findings in this report are based on data collected at the time of testing at PBGC.\nThey are a brief \xe2\x80\x9csnapshot in time\xe2\x80\x9d of our testing and do not reflect any changes made to the\nsystem after the data collection activity.\n\n\nMETHODOLOGY\n\n        Our methodology for penetration testing focused on gaining access to PBGC systems and\nresources, and escalating privileges on those systems. Throughout the testing, we attempted to\ngain the highest level of access possible (administrator) on PBGC systems without performing\nmalicious actions or interrupting existing PBGC services or operations. Our goal was to gain\nadministrator access on PBGC financial systems from both external and internal paths.\n\nPhase I: External Network Penetration\n\n\xe2\x99\xa6   Internet penetration testing\n\n    This process tested the configuration, implementation, and security practices of PBGC's\n    Internet connectivity and access controls, and attempted to identify and exploit security\n    vulnerabilities in order to gain unauthorized access into PBGC networks or devices. The\n    penetration team also retested the vulnerabilities found in 1999 to determine if corrective\n    measures were in place. The testing included:\n\n    9\t Analyzing a comprehensive footprint of Internet connections to identify PBGC systems\n       connected to the Internet and services running.\n\n    9\t Using stealth penetration tools and techniques to review the effectiveness of PBGC\n       intrusion detection, monitoring, and incident response capabilities.\n\n\xe2\x99\xa6   Dial-in penetration testing\n\n    This testing included attempts to gain network access via dial-in systems. The\n    penetration team retested the vulnerabilities found in 1999 to determine if corrective\n    measures were in place. The team identified and attempted to exploit dial-in access\n    points through:\n\n    9\t Using \xe2\x80\x9cwar-dialer\xe2\x80\x9d software to identify modems within the range of the PBGC\n       telephone exchanges.\n\n    9\t Using known default accounts, specialized scripts, password guessers, and\n       password cracking software to exploit the remote connections identified in the war\n       dialing.\n\n\n\n\n                                                -2-\n\n\x0c\xe2\x99\xa6   Social engineering testing\n\n    The penetration team scripted social engineering techniques to attempt to gain additional\n    system information or generate a desired user action. The objective of the social engineering\n    techniques was to test PBGC user security awareness and compliance with organizational\n    security policies. The social engineering scenarios used included:\n\n    9\t Calling the Help Desk posing as a computer-illiterate user and asking for the assignment\n       of a new password.\n\n    9\t Calling a PBGC user posing as a help-desk employee or systems administrator and\n       convincing them to reveal their usernames or passwords.\n\nPhase II: Internal Network Penetration\n\n\xe2\x99\xa6   Physical penetration testing\n\n    The penetration team attempted to gain unauthorized physical access to PBGC systems by\n    circumventing or exploiting weaknesses in the physical security protecting network systems\n    at PBGC. Our activities were limited to attempts at entering the building through the main\n    entrance during business hours; locating open office areas or communications closets. Our\n    goal was to gain unchallenged access to PBGC spaces and attempt to connect or log on the\n    network through available resources.\n\n\xe2\x99\xa6   Insider penetration testing\n\n    The team performed controlled insider penetration tests, in which we attempted to identify\n    vulnerabilities to insider exploitation in order to gain unauthorized access or privileges on\n    critical systems and data on the PBGC network. The insider testing evaluated PBGC\xe2\x80\x99s\n    defenses against malicious individuals with internal access to PBGC facilities and systems.\n    Specific steps included:\n\n    9   Attempting to gain network access without a valid user account.\n\n    9   Performing a detailed search and footprint analysis of internal network paths.\n\n    9\t Conducting systematic attempts to gain unauthorized access and privileges via internal\n       and trusted links by exploiting vulnerabilities and network services.\n\n    9\t Analyzing vulnerabilities to exploit by attempting to map network topology; increasing\n       level of privileges; obtaining access to password files, e-mail, and other sensitive data;\n       and gaining access to other network segments or subnets.\n\n    9   Testing the intrusion detection and incident response actions.\n\n\nWORK STANDARDS AND LIMITATIONS\n\n         This task was conducted in accordance with the Standards for Consulting Services\nestablished by the American Institute of Certified Public Accountants. Accordingly, in this report,\nwe provide no opinion or other forms of assurance with respect to the systems reviewed. The\ntesting provided a view of network security for PBGC at the time of the testing and does not reflect\nsystem conditions into the future. Due to the nature of information systems security, it does not\nensure all vulnerabilities have been identified.\n\n\n\n\n                                                 -3-\n\n\x0cPENETRATION TESTING RESULTS\n\n         Our penetration testing found that PBGC significantly improved its security over network\nresources to provide protection from malicious external and insider attacks. The testing team\nwas not able to access PBGC systems via external testing from the Internet or dial-in access\npoints. Internal network penetration testing, social engineering, and physical security testing\nalso failed to generate significant access to PBGC\xe2\x80\x99s systems.\n\n\xe2\x99\xa6   Internet Security\n\n        Attempts to penetrate or bypass access controls on the firewall, web servers, and other\nInternet systems were unsuccessful. This means we did not gain unauthorized access to PBGC\nInternet systems or users\xe2\x80\x99 electronic mail from the Internet.\n\n         Through Internet penetration testing, we identified seven PBGC hosts with one high,\nthree medium, and three low level vulnerabilities on these hosts. During manual testing of these\nvulnerabilities, the team was unable to exploit the high level vulnerability and one of the medium\nlevel vulnerabilities. The remaining identified vulnerabilities, while exploitable, would not allow\nan unauthorized user to gain control of the systems.\n\n\xe2\x99\xa6   Dial-In Security\n\n       The penetration team\xe2\x80\x99s attempts to circumvent PBGC dial-in access controls were\nunsuccessful. Using a war-dialing program, the team was able to identify five modems in the\nPBGC exchange. One of these modems was linked to a non-PBGC organization and the other\nfour modems appeared to be fax machines. The team was unable to gain access to PBGC\nnetwork resources through the five modems.\n\n        The team also attempted to penetrate the PBGC Wide Area Network using dial-in access\npoints that were compromised during the 1999 testing. None of the modem numbers identified in\n1999 were being used by PBGC; some were disconnected, and others were voice lines for non-\nPBGC organizations.\n\n\xe2\x99\xa6   Network Security\n\n       Simulating an individual with physical access to the PBGC office spaces, the penetration\nteam connected to the internal PBGC network and attempted to gain unauthorized access to the\nWindows NT, Novell, UNIX, and network devices. Unlike our testing in 1999, we could not:\n\n    9   gain administrator-level access to either the Novell and Windows NT environments,\n        though we did gain user-level access by using accounts without passwords or with\n        passwords set to the account name (see below);\n    9   gain access to PBGC UNIX systems or network devices (routers, switches, etc.); and\n    9   gain access to PBGC\xe2\x80\x99s production database applications (Oracle), including the\n        Participant Records Information Systems Management System and the Premium\n        Accounting System.\n\n\n\n\n                                                -4-\n\n\x0cBased on this testing, we found that PBGC improved its network security since 1999, and current\nsecurity controls protect critical systems from unauthorized access and abuse originating from\nthe internal network or from external sources.\n\n    The penetration team, however, did identify the following vulnerabilities:\n\n    9   Novell\n\n        We discovered user-level accounts without passwords and with passwords set to the\n        account name on the PBGC Novell Directory Service (NDS). The NDS defines and\n        organizes the components of the network -- e.g., users, files, and printers. Through these\n        user-level accounts, the team was able to access the PBGC NDS and PBGC Novell\n        servers. Additionally, the team was able to explore files and use native Novell programs\n        to discover information about key users and servers.\n\n        In addition, the penetration team gained administrator-level access to a contractor-\n        operated NDS within the PBGC network using an account without a password. The\n        contractor NDS is separate from the main PBGC NDS. This account provided the team\n        full access to the PBGC NDS, and would have allowed them to add or delete users and\n        modify files. Although the team could not gain access to the PBGC Novell tree using the\n        administrator privileges from the contractor-operated NDS, we could read the files in the\n        Contractor tree, including those pertaining to PBGC. Although PBGC may not be directly\n        responsible for administering the servers on this tree, the supervisor level accounts\n        without passwords should immediately be removed or assigned stronger passwords.\n\n    9   Windows NT\n\n        The team was able to identify one user account with the password set to the account\n        name on the Windows NT domain. Using this account, the team authenticated to the\n        Primary Domain Controller, but could not access files on the system. The team was\n        unable to elevate the account\xe2\x80\x99s access to the administrator level.\n\n        The team was able to connect to ten Windows NT systems by using a null connection (no\n        username or password). Using common hacker tools from the Internet and commands\n        native to the Windows NT operating system, the team was able to extract user and group\n        membership information from the systems.\n\n    9   UNIX\n\n        The team found services running on UNIX systems that may not be needed, e.g., \xe2\x80\x9cfinger\xe2\x80\x9d\n        and \xe2\x80\x9cr \xe2\x80\x9cservices. Finger and r services are part of the UNIX operating system that provide\n        certain information such as users and log-ins. Using these services, the team obtained\n        valid user account names. However, the team could not successfully exploit the accounts\n        or services to gain access to UNIX systems.\n\n\xe2\x99\xa6   Physical Security\n\n          The team\xe2\x80\x99s physical penetration efforts consisted of attempts to gain unauthorized\nphysical access to PBGC network systems at 1200 K Street. PBGC\xe2\x80\x99s space is secured through\nlocked hallway doors leading into office space that are opened by using an individually-assigned\naccess card. During the physical security penetration testing, our team gained entry to the 10th\nfloor office space as an employee was exiting. This allowed the team to walk around the floor for\nsome time before being questioned by a PBGC employee.\n\n\n\n\n                                                -5-\n\n\x0c        The team also gained entry by following a PBGC employee into 9th floor office space and\nwalked around unchallenged for approximately fifteen minutes. During this period, the team\nentered an office and successfully logged into the PBGC network from a user\xe2\x80\x99s terminal using\naccounts and passwords obtained during the 1999 internal testing.\n\n         As the team was leaving the 9th floor office space, a PBGC employee questioned them\nabout who they were. The employee stated he was going to call building security. At that point,\nthe team revealed that they were performing a physical security review for the OIG. The employee\ncalled the OIG contact to validate the team\xe2\x80\x99s claim. The OIG contact informed the employee that\nthe team was conducting a test and did have authorization from the OIG to be in the building.\nThe employee did not call building security to have the team escorted from the building.\n\n         Our testing found that although two PBGC employees challenged unauthorized outsiders\nand followed escalation procedures, there were many that did not. We also found that the only\nwritten guidance concerning monitoring and reporting unauthorized persons in PBGC space is an\nattachment to a 1994 building security memorandum. As a result, PBGC should develop and\npublicize guidance regarding employee\xe2\x80\x99s responsibility for monitoring and reporting unauthorized\npersons in PBGC space. This will enhance PBGC\xe2\x80\x99s security awareness programs and increase\nemployee knowledge and vigilance of PBGC physical security policies.\n\n        PBGC has taken steps to secure the Local Area Network (LAN) closets that were accessed\nduring the 1999 penetration test. A metal strip was installed on the LAN closet doors to prevent\naccess by means of compromising the lock, as was easily done in 1999. The team also was\nunsuccessful at gaining unauthorized access to the main PBGC computer room.\n\n\xe2\x99\xa6   Social Engineering\n\n        The social engineering tests consisted of scripted scenarios that tested user awareness of\nand compliance with PBGC security policies and procedures. The penetration team\xe2\x80\x99s efforts\nincluded two scenarios: calling the Help Desk and asking to be assigned a new password, and\ncontacting a PBGC employee in an attempt to have them reveal their password. During the call\nto the Help Desk, the team was informed that in order to have a password reset, a user must go\nto the Help Desk window in person, and provide a valid ID. The Help Desk would not reset the\npassword over the phone. During the calls to PBGC staff members, the team was unable to\npersuade PBGC employees to reveal their passwords.\n\n\nASSESSMENT OF STRENGTHS\n\n        Comparing our original 1999 testing results to our 2001 penetration re-testing, we noted\nimprovements in PBGC\xe2\x80\x99s security measures and control elements over information technology,\nincluding the following strengths:\n\n    9\t The Internet firewall configuration blocks unauthorized and unnecessary traffic to the\n       PBGC internal network.\n\n    9\t Internet vulnerability scans of the PBGC Web Servers did not identify any significant\n       weaknesses.\n\n    9   Attempts to compromise the Internet mail server were not successful.\n\n    9   PBGC dial-in access points could not be compromised.\n\n    9   The intrusion detection system discovered the team\xe2\x80\x99s internal testing attempts.\n\n\n\n\n                                                -6-\n\n\x0c  9   Novell servers could not be accessed remotely via the \xe2\x80\x9crconsole\xe2\x80\x9d utility.\n\n  9\t UNIX systems require SecurID (tokens for remote log-in and super-user status) for\n     authentication and could not be accessed.\n\n  9\t UNIX systems are using secure shell for remote access. This encrypts the network traffic\n     to prevent \xe2\x80\x9csniffing\xe2\x80\x9d user names and passwords, etc.\n\n  9   Help Desk procedures for password resetting help counter social engineering attempts.\n\n  9   Account lockout was enabled on all PBGC systems and network devices tested.\n\n  9   PBGC routers are not using easily guessed protocols, such as SNMP community strings.\n\n\nASSESSMENT OF WEAKNESSES\n\n  9\t PBGC needs to take steps to ensure that every account on the system has strong\n     passwords. User level access was obtained on PBGC\xe2\x80\x99s main Windows NT domain and on\n     the PBGC Novell tree using accounts with either no password or with the password set to\n     the account name. This is a repeat of a1999 finding.\n\n  9\t The team was able to login with administrator-level privileges to the contractor-operated\n     Novell Service Directory using an account without a password. It appeared that PBGC\n     set up some Novell servers and created an NDS for the contractor. This condition poses a\n     risk as an unauthorized individual may use entry to the contractor-operated tree in order\n     to gain entry to the PBGC internal network via these Novell servers. Since this was a\n     contractor for PBGC, there were files, data, containing information about PBGC on its\n     NDS. The penetration team was capable of reading, modifying or deleting this data.\n     This data appeared to be sensitive and PBGC should address this issue.\n\n  9\t Unauthorized persons are able to gain access to locked PBGC space and walk around\n     unchallenged. While there were indications of some improved employee awareness, there\n     were also indications of the continued need for improvement in this area. This was a\n     1999 finding.\n\n                                    RECOMMENDATIONS\n\n      Based on the results of our testing, the following actions are recommended:\n\n         Assign strong passwords to user level accounts with null passwords or passwords set\n         to the account name in the Windows NT and Novell environment. (IRMD-125)\n\n         Assign strong passwords to administrator level accounts with null passwords on the\n         Contractor operated Novell Directory Service tree. (IRMD-126)\n\n         Develop and publicize guidance for employees to monitor and report unauthorized\n         personnel in PBGC office areas. (IRMD-127)\n\n\n\n\n                                              -7-\n\n\x0cTab I\n\n\x0c"